Heco Bridge Postmortem

HECO Bridge and HTX Hack - November 22, 2023

Overview

Two separate hacks targeting Justin Sun-affiliated projects resulted in approximately $99 million in losses on November 22, 2023.

What Happened

The incidents occurred in rapid succession:

1. HECO Bridge Attack: $86.6 million stolen from the Huobi ECO Chain's Ethereum bridge

2. HTX Hot Wallet Attack: $12.5 million compromised from HTX (formerly Huobi) hot wallets

Both attacks were acknowledged by Justin Sun approximately two hours after initial alerts, who promised compensation for HTX losses while stating that "all funds in HTX are secure."

Technical Root Cause

The article does not explicitly detail a specific technical vulnerability. However, security researchers suggested that "vulnerabilities exploited in previous hacks could have been reused, given the connections between the affected entities."

Attack Vector

HECO Bridge: A compromised operator account (0x3d655889d197125fb90dcb72e4a287a8410ed1b9) initiated unauthorized withdrawals from the bridge contract, transferring funds to an attacker address.

HTX Wallets: Compromised hot wallet addresses directly transferred assets to separate attacker-controlled addresses.

Financial Impact

HECO Bridge Losses ($86.6M):

• 42M USDT

• >10,000 ETH (~$19M)

• 489 HBTC ($18.8M)

• 347M SHIB ($2.8M)

• 173k UNI ($930k)

• Additional tokens: USDC, LINK, TUSD

HTX Losses ($12.5M):

• 1,240 ETH ($2.5M)

• 7.3M USDT

• 1.78M USDC

• 62.2k LINK ($870k)

Remediation

Justin Sun announced that deposits and withdrawals were temporarily suspended while investigations proceeded. HTX committed to compensating affected users for hot wallet losses.

Fund Recovery

The article notes that only $8 million of $233 million in losses across three incidents affecting Sun-linked projects (within three months) had been recovered to that point.

Key Addresses

• HECO Attacker: 0xfc146d1caf6ba1d1ce6dcb5b35dcbf895f50b0c4

• HECO Operator (compromised): 0x3d655889d197125fb90dcb72e4a287a8410ed1b9

• HECO Bridge: 0xa929022c9107643515f5c777ce9a910f0d1e490c

• HTX Attacker 1 (ETH): 0x5a22f867dfcb4f32d25a5fa365b9d9d78d5515dc

• HTX Attacker 2 (other assets): 0x121a0ff24027fffcdd0ae008da82f2789c7945cc

Notable Context

The article references similarities to attack patterns associated with North Korea's Lazarus Group, suggesting potential attribution, though the precise attacker identity remained unknown at publication.